Dynamic re-composition of patch groups using stream clustering

ABSTRACT

Techniques for dynamic server groups that can be patched together using stream clustering algorithms, and learning components in order to reuse the repeatable patterns using machine learning are provided herein. In one example, in response to a first risk associated with a first server device, a risk assessment component patches a server group to mitigate a vulnerability of the first server device and a second server device, wherein the server group is comprised of the first server device and the second server device. Additionally, a monitoring component monitors data associated with a second risk to the server group to mitigate the second risk to the server group.

BACKGROUND

The subject disclosure relates to cloud management, and morespecifically, to dynamic re-composition of patch groups using streamclustering.

SUMMARY

The following presents a summary to provide a basic understanding of oneor more embodiments of the disclosure. This summary is not intended toidentify key or critical elements, or delineate any scope of theparticular embodiments or any scope of the claims. Its sole purpose isto present concepts in a simplified form as a prelude to the moredetailed description that is presented later. In one or more embodimentsdescribed herein, devices, systems, computer-implemented methods,apparatus and/or computer program products that facilitate dynamicre-composition of patch groups using stream clustering are described.

According to an embodiment, a system can comprise a memory that storescomputer executable components, and a processor that executes thecomputer executable components stored in the memory. The computerexecutable components of the system can comprise a risk managementcomponent that, in response to a first risk associated with a firstserver device, patches a server group to mitigate a vulnerability of thefirst server device and a second server device, wherein the server groupis comprised of the first server device and the second server device.The computer executable components of the system can also comprise amonitoring component that, monitors data associated with a second riskto the server group to mitigate the second risk to the server group.

According to another embodiment, a computer program product thatfacilitates server group patching can comprise a computer readablestorage medium having program instructions embodied therewith. Theprogram instructions can be executable by a processor and the processorcan in response to a first risk associated with a first server device,patch a server group to mitigate a vulnerability of the first serverdevice and a second server device, wherein the server group is comprisedof the first server device and the second server device. The programinstructions can also be executable to monitor, by the processor, dataassociated with a second risk to the server group to mitigate the secondrisk to the server group.

According to yet another embodiment, a computer-implemented method isprovided. The computer-implemented method can comprise in response to afirst risk associated with a first server device, patching, by a deviceoperatively coupled to a processor, a server group to mitigate avulnerability of the first server device and a second server device,wherein the server group is comprised of the first server device and thesecond server device. The computer-implemented method can also comprise,monitoring, by the device, data associated with a second risk to theserver group to mitigate the second risk to the server group.

According to yet another embodiment, a system can comprise a memory thatstores computer executable components, and a processor that executes thecomputer executable components stored in the memory. The computerexecutable components of the system can comprise a risk managementcomponent that, in response to a first risk associated with a firstserver device, patches a server group to mitigate a vulnerability of thefirst server device and a second server device, wherein the server groupis comprised of the first server device and the second server device.The computer executable components of the system can also comprise amonitoring component that, monitors data associated with a second riskto the server group to mitigate the second risk to the server group.Furthermore, the computer executable components of the system can alsocomprise a learning component that analyzes risk data associated with aprevious risk received from a workstation device, resulting in a riskprediction.

According to yet another embodiment, a computer program product thatfacilitates server group patching can comprise a computer readablestorage medium having program instructions embodied therewith. Theprogram instructions can be executable by a processor and the processorcan in response to a first risk associated with a first server device,patch a server group to mitigate a vulnerability of the first serverdevice and a second server device, wherein the server group is comprisedof the first server device and the second server device. The programinstructions can also be executable to monitor, by the processor, dataassociated with a second risk to the server group to mitigate the secondrisk to the server group. The program instructions can also beexecutable to analyze, by the processor, risk data associated with aprevious risk received from a workstation device, resulting in a riskprediction.

In some embodiments, one or more of the above elements described inconnection with the systems, computer-implemented methods and/orcomputer program programs can be embodied in different forms such as acomputer-implemented method, a computer program product, or a system.

DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of an example, non-limiting systemthat facilitates grouping and patching of machines in accordance withone or more embodiments described herein.

FIG. 2 illustrates another block diagram of an example, non-limitingsystem that facilitates a machine grouping analysis in accordance withone or more embodiments described herein.

FIG. 3 illustrates an additional block diagram of an example,non-limiting machine patching component in accordance with one or moreembodiments described herein.

FIG. 4 illustrates yet another block diagram of an example, non-limitingsystem that facilitates stream clustering in accordance with one or moreembodiments described herein.

FIG. 5 illustrates an additional block diagram of example, non-limitingsystem that facilitates micro-stream clustering in accordance with oneor more embodiments described herein.

FIG. 6 illustrates a flow diagram of an example, non-limiting processoverview in accordance with one or more embodiments described herein.

FIG. 7 illustrates a flow diagram of an example, non-limiting flowdiagram that facilitates assessments for risk measurements in accordancewith one or more embodiments described herein.

FIG. 8 illustrates a flow diagram of an example, non-limitingcomputer-implemented method that facilitates grouping and patching ofmachines in accordance with one or more embodiments described herein.

FIG. 9 illustrates a flow diagram of another example, non-limitingcomputer-implemented method that facilitates grouping and patching ofmachines in accordance with one or more embodiments described herein.

FIG. 10 illustrates a flow diagram of another example, non-limitingcomputer-implemented method that facilitates grouping and patching ofmachines in accordance with one or more embodiments described herein.

FIG. 11 illustrates a block diagram of an example, non-limitingoperating environment in which one or more embodiments described hereincan be facilitated.

FIG. 12 illustrates a block diagram of an example, non-limiting cloudcomputing operating environment according to one or more embodimentsdescribed herein.

FIG. 13 illustrates a block diagram of example, non-limiting abstractionmodel layers according to one or more embodiments described herein.

DETAILED DESCRIPTION

The following detailed description is merely illustrative and is notintended to limit embodiments and/or application or uses of embodiments.Furthermore, there is no intention to be bound by any expressed orimplied information presented in the preceding Background or Summarysections, or in the Detailed Description section.

One or more embodiments are now described with reference to thedrawings, wherein like referenced numerals are used to refer to likeelements throughout. In the following description, for purposes ofexplanation, numerous specific details are set forth in order to providea more thorough understanding of the one or more embodiments. It isevident, however, in various cases, that the one or more embodiments canbe practiced without these specific details.

It is to be understood that although this disclosure includes a detaileddescription on cloud computing, implementation of the teachings recitedherein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g., networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Machines operating within the same environment can benefit from the samesoftware patch (e.g., patch group) to mitigate common vulnerabilities.For example, an application can be executed on multiple servers. Thus, aweb server, a database, and/or a cache, can run an application onmultiple servers or different physical machines, which can increasevulnerability to malware, viruses, attacks, etc. Because some machinescan share common vulnerabilities, grouping the machines together andapplying a patch to the group can create a better defense and/orsecurity against common vulnerabilities, as opposed to patching themachines one at a time.

One or more embodiments described herein can patch a group of machinesthat share a common vulnerability. The patch group can be defined indifferent granularities and the patch group can be dynamically adjusted.One or more embodiments described herein include systems,computer-implemented methods, apparatus, and computer program productsthat facilitate patching of machines.

FIG. 1 illustrates a block diagram of an example, non-limiting systemthat facilitates grouping and patching of machines in accordance withone or more embodiments described herein. In various embodiments, thesystem 100 can be associated with or included in a data analyticssystem, a data processing system, a graph analytics system, a graphprocessing system, a big data system, a social network system, a speechrecognition system, an image recognition system, a graphical modelingsystem, a bioinformatics system, a data compression system, anartificial intelligence system, an authentication system, a syntacticpattern recognition system, a medical system, a health monitoringsystem, a network system, a computer network system, a communicationsystem, a router system, a server system or the like.

As shown, system 100 can comprise a control device 112 and one or morephysical machines 104, 106, 110) communicatively coupled to one or morecloud networks 102, 108. In some embodiments, the cloud networks 102,108 can comprise virtual machines (not shown). The control device 112,physical machines 104, 106, 110 and/or one or more virtual machines canbe electrically and/or communicatively coupled to one another in one ormore embodiments.

In one embodiment, the control device 112 can perform patching ofmachines by identifying machines that share common risks. Common riskscan include, but are not limited to: malware, viruses, memory leaks,cyber attacks, etc. It should be understood, with reference to thisdisclosure, a machine can be a server device, a virtual machine, acentral processing unit (CPU), a physical machine, etc. In oneembodiment, the control device 112 can group the physical machines 104,106, 110 in the cloud network 102. The physical machines 104, 106, 110can also be representative of the virtual machines.

In some embodiments, the physical machines 104, 106, 110 can be groupedby the control device 112 based on a common characteristic and/or acommon threat or vulnerability of the physical machines 104, 106, 110.The control device 112 can be capable of monitoring individual physicalmachines and/or groups of physical machines. For example, the controldevice 112 can receive data associated with a vulnerability of thephysical machine 104, if the operating systems (OS) of the physicalmachine has experienced a memory leak. Because physical machine 106 isgrouped with physical machines 104 in the cloud network 102, the controldevice 112 can determine that physical machine 106 may also be injeopardy of a memory leak, and the vulnerability of physical machine 104can expose the OS of physical machine 106 to attacks. Therefore, thecontrol device 112 can apply a common patch to the software, middleware,and/or OS running within the environment associated with the cloudnetwork 102 to mitigate the vulnerability. It should also be understoodthat from time-to-time, the control device 112 can perform system checkson the physical machines 104, 106, 110 to preemptively determine ifthere is a vulnerability associated with one or more of the physicalmachines rather than wait for the data to be sent from the physicalmachines 104, 106, 110.

In some embodiments, cloud operations such as migration, scalability,snap-shot, and replication can result in a change of state of theapplication or physical machine. For example, the control device 112 candetermine that a change has occurred in a state (e.g., in use,rebooting, etc.) of an application or physical machine. As such, achange in state can change the data structure of the environment, and inone or more embodiments described herein, prompt a group to change bythe control device 112, resulting in a dynamic environment change. Forinstance, at a first point in time, a physical machine can run anapplication in a first geographical area, and at a second point in time,the application can be run in a second geographical area by anotherphysical machine. Because the application can be run in variousgeographic locations due to migration, scaling out multiple instances ofthe application into geographically distributed data centers canincrease vulnerability exposure. Thus, in various embodiments describedherein, patch groups can be dynamically recomposed whenever there is achange in the environment.

Consequently, in response to another physical machine 110 exhibiting thesame characteristics and/or vulnerabilities as the physical machines104, 106 associated with the cloud network 102, then the control device112 can group into the cloud network 108 the physical machine therebycausing a dynamic environment change. In a dynamically changingenvironment, change of space of physical machines or data structures isalso common. Thus, the control device 112 can transmit information tophysical machines 104, 106, 110 to cause a change in the patch groupand/or to cause patches to be applied to software associated with thephysical machines 104, 106, 110. A patch group is a group of machinesoperating within the same environment that can benefit from the samesoftware patch to mitigate common vulnerabilities. Because some machinescan share common vulnerabilities, grouping the machines together andapplying a patch to the group can create a better defense and/orsecurity against common vulnerabilities, as opposed to patching themachines separately.

Patches can be developed and transmitted to and/or received by themachines to fix or mitigate machine vulnerabilities. Patches can berated in terms of vulnerability and impact the patch can have on a fix.Thus, measuring the vulnerability of software can be represented ascommon vulnerability of exposure (CVE) number. For example, the CVEinvolves the scoring of the vulnerability (e.g., low, medium, high).Consequently, a patch can be associated with a CVE number (e.g., scoreof 0-10). Thus, the higher the risk of exposure, the higher the CVEnumber. Therefore, a score of ten can indicate an immediate need for theissue to be remedied. For example, if a specific physical machine has aCVE of ten, then a patch with a rating of ten can be applied to thephysical machine to mitigate a vulnerability. Furthermore, the patchescan be applied to software running in any environment, which isespecially important in for the cloud network 102, 108 operationsbecause anyone can access the cloud.

In the cloud network 102, 108, machines can have applications running onmultiple servers. Therefore, if one server is compromised, then theother servers can be compromised. For example, if a firewall associatedwith a server is breached, then one or more of the servers behind thatfirewall can be seen (not just the server that experienced the breach).Therefore, patching a group of servers that share a common vulnerabilitycan generate system efficiencies. Based on the vulnerability and/or theCVE, the control device 112 can determine exactly what patch is to beused to mitigate the vulnerability.

The system 100 can be employed to use hardware and/or software to solveproblems that are highly technical in nature (e.g., software patching,machine grouping, stream clustering, etc.), that are not abstract andthat cannot be performed as a set of mental acts by a human due to theprocessing capabilities needed to facilitate machine grouping andpatching, for example. Further, some of the processes (e.g., computerprocessing, vulnerability pattern recognition, etc.) performed may beperformed by a specialized computer for carrying out defined tasksrelated to memory operations. For example, a specialized computer can beemployed to carry out tasks related to software patching or the like.The specialized computer can automatically adjust the cloud networkenvironment in response to an indication that a physical machine 104,106, 110 is susceptible to a vulnerability.

FIG. 2 illustrates another block diagram of an example, non-limitingsystem 200 that facilitates a machine grouping analysis in accordancewith one or more embodiments described herein. Repetitive description oflike elements employed in other embodiments described herein is omittedfor sake of brevity.

In another embodiment, the control device 112 can perform machinegrouping based on characteristics associated with the physical machines.For example, as depicted in FIG. 2 , group A, physical machines can be aworkload group of machines, group B physical machines can be a networkgroup of machines, and group C physical machines can be aninfrastructure group of machines.

Although the control device 112 can group the physical machinesseparately according to their function (e.g., workload, network,infrastructure, etc.), certain physical machines can comprise multiplecharacteristics and be grouped into multiple groups. For instance, twoof the physical machines 110 can be grouped into all three groups A, B,C. Therefore, there is an overlap of all three groups A, B, C for thephysical machines 110. Consequently, if any of the other physicalmachines 104, 202B, 202C within any of the other groups ABC are exposedto a vulnerability, then the two physical machines 110 associated withall three groups A, B, C are also exposed to the same vulnerability.Therefore, if any of the other physical machines 104, 202B, 202C withinany of the other groups receive a particular patch from the controldevice 112, then the two physical machines 110 can also receive the samepatch from the control device 112. Likewise, a physical machine 104 isassociated with groups A, B. Therefore, if any of the physical machines104, 202B are exposed to a vulnerability, then the physical machine 104can also be exposed to the vulnerability. Therefore, the patches appliedto the physical machines 104, 202B should also be applied to physicalmachines 104. It should be understood that although every variance ofthe aforementioned scenario is not discussed with regards to FIG. 2 ,the same principles can be applied to other physical machines that aregrouped in a like manner.

FIG. 3 illustrates an additional block diagram of an example,non-limiting machine patching component in accordance with one or moreembodiments described herein. Repetitive description of like elementsemployed in other embodiments described herein is omitted for sake ofbrevity.

In the embodiment shown in FIG. 3 , the system 300 can comprise amachine patching component 302 that can receive input data from a remoteworkstation device 316. It should be noted that the sub-components(e.g., monitoring component 304, learning component 310, adjustmentcomponent 306, risk assessment component 308, pattern database 318, andpatch database 320), processor 314, and memory 312 can be electricallyand/or communicatively coupled to one another. It should also be notedthat in alternative embodiments that other components including, but notlimited to the sub-components, processor 314, and/or memory 312, can beexternal to the machine patching component 302. For instance, in anotherembodiment, the pattern database 318 and the patch database 320 can beexternal to the machine patching component 302.

In one aspect of FIG. 3 , the risk assessment component 308 can assess arisk associated with a server device. For example, a risk can bedetermined based on a previous risk, software, a manual input, adegradation in performance, etc. For instance, if the control device 112receives an indication that a physical machines 104, 106, 110 hasexperienced a reduction in performance, then the control device 112 canscan the physical machine 104, 106, 110 for an indication of malware. Ifthe malware is found, then the control device can determine a CVEassociated with the malware and send a patch that correlates to the CVEassociated with the malware. Once a risk has been determined, by therisk assessment component 308, with regards to a first server device,the risk assessment component 308 can patch a server group to mitigate avulnerability of the first server device and a second server device ofthe server group. The monitoring component 304 can monitor a riskassociated with various machines. For instance, if a third server deviceof the server group experiences a vulnerability, then the monitoringcomponent 304 can observe the vulnerability and indicate that otherserver devices of the server group should be patched simultaneously withthe third server device.

The monitoring component 304 can also comprise a learning component 310,wherein the learning component 310 can analyze previous risks and inputdata received from the remote workstation device 316 to predict futurerisks or vulnerabilities to the server devices. For example, if thephysical machine 104 has previously been prone to malware attacks, themalware attack, the physical machine 104, and the software patch tomitigate the malware attack can be stored in accordance with a learningalgorithm. The learning algorithm can then use the aforementioned datato determine if the same or similar malware attack can occur on thephysical machine 104 and share the same or similar patch with a groupedphysical machine 106.

The learning component 310 can employ a probabilistic and/orstatistical-based analysis to prognose or infer an action that can beperformed. A support vector machine (SVM) is an example of a classifierthat can be employed. The SVM can operate by finding a hypersurface inthe space of possible inputs. Other directed and undirectedclassification approaches include, for example, naïve Bayes, Bayesiannetworks, decision trees, neural networks, fuzzy logic models, andprobabilistic classification models providing different patterns ofindependence can be employed. Classification of risks in accordance withCVE numbers as used herein also may be inclusive of statisticalregression that is utilized to develop models of priority. The disclosedaspects can employ classifiers that are explicitly trained (e.g., via ageneric training data) as well as implicitly trained (e.g., viaobserving the input terms usage as it relates to software code,receiving extrinsic information, and so on).

The learning component 310 can utilize the SVM to employ alearning-based algorithm for multi-labels for group patterns.Multi-label group patterns are group patterns that are associated withdifferent environments. For example, a group pattern can be associatedwith a network ground and still be associated with an infrastructuregroup. Inputs to the SVM can comprise: labeled set D₁, unlabeled setD_(u), number of steps T, number of examples per iteration St=1. Whilet<=T a multi-label SVM classifier ƒ can be trained based on the trainingdata D₁. For one or more instances where x in D_(u), the SVM can predicta label vector y using a loss reduction (LR) based prediction method:D* _(s)=argmax_(Ds)(Σ_(X∈Ds)Σ_(i=1)((1− y ^(i) f _(i)(x))/2)),  Equation1:

-   constrained to y ^(i)∈{−1, 1} (equation for Maximum loss reduction    with maximal confidence).

An expected loss reduction can be calculated with the most confidentlabel vector y:score(x)=Σ^(k) _(i=1)(1− y ^(i) f _(i)(x))/2)  Equation 2:

The score(x) can be sorted by the learning component 310 in decreasingorder for all x in D_(u). Thus, a set of S examples D*_(s) with thelargest scores can be selected (or input via the remote workstationdevice 316), and the training set D₁<−D₁+D*_(s) can be updated.Thereafter, the multi-label learner 1 with D₁ can be trained by thelearning component 310, where t=t+1. f_(i)(x) is an SVM classifierassociated with class i. The x₁ . . . x_(n) data points can featurevectors for one or more grouping patterns such as: network segments,workloads, data-driven. The learning algorithms can be used to definegroup patterns and to reuse history to capture patterns and repeatedlyuse patches for known vulnerabilities.

The adjustment component 306 can modify and/or adjust the cloud network102, 108 environment. For instance, if a particular physical machine 104is prone to heightened risk factors, then the adjustment component 306can remove the physical machine 104 from the group of physical machines106, 110 to mitigate the risk. It should be noted that the adjustmentcomponent 306 can also add a physical machine 110 to a specific group ofphysical machines 104, 106 so that a patch associated with the physicalmachine 110 can be applied to the other physical machines 104, 106.Conversely, a remote workstation device 316 can be used to provideadditional input data for analysis by the machine patching component302. For example, in response to an automated process conflicting with auser input from the remote workstation device 316, the user input canoverride the automated process.

The input data from the remote workstation device 316 can be sent to thelearning component 310 for analysis and reuse by the machine patchingcomponent 302. Input data from the remote workstation device 316 canalso be stored in the patch database 320 and/or the pattern database318. The pattern database 318 can be configured to store data associatedwith the patch groups, clustering, dynamic environments, and to identifypatterns associated therewith. For example, patterns recognized by thelearning component 310 can be stored in the pattern database 318. Thepatch database 320 can be configured to store data related to variouspatches and which vulnerabilities they mitigate for certain patchgroups.

Aspects of the processor 314 can constitute machine-executablecomponent(s) embodied within machine(s), e.g., embodied in one or morecomputer readable mediums (or media) associated with one or moremachines. Such component(s), when executed by the one or more machines,e.g., computer(s), computing device(s), virtual machine(s), etc. cancause the machine(s) to perform the operations described by the machinepatching component 302. In an aspect, the machine patching component 302can also include memory 312 that stores computer executable componentsand instructions.

FIG. 4 illustrates yet another block diagram of an example, non-limitingsystem 400 that facilitates stream clustering in accordance with one ormore embodiments described herein. Repetitive description of likeelements employed in other embodiments described herein is omitted forsake of brevity.

System 400 comprises a data abstraction component 402, a data structurestatistic summary component 404, and a clustering component 406, whereinthe aforementioned components are electrically and/or communicativelycoupled to one another.

In response to the control device 112 determining that the physicalmachine 104 is experiencing a lag, the control device 112 can generateand send control information to the physical machine 106 to cause thephysical machine 106 to increase speed of operations to compensate forthe performance of the physical machine 106 (e.g., dynamic environmentchange). As such, the control device 112 can group the physical machine104 and the physical machine 106 in different groups. Because datapoints can be continuously and constantly received in response todynamic environment changes, data streams can be handled as a chunk ofdata. Clustering algorithms to create and/or delete physical machinegroups can be used to modify a cloud network 102, 108. The continualdata streams can represent and cause a change in the environment.Therefore, when the clustering algorithm is executed (in units ofmicro-clusters as later discussed with regards to FIG. 5 ), the dataabstraction component 402 can summarize the data as inputs to thealgorithm. Because the data can be specific or custom to its datasource, the data can be formatted (e.g., average, frequency, etc.) inaccordance with a target data structure of the data structure statisticsummary component 404. The clustering component 406 can then receive theformatted data to perform the clustering.

FIG. 5 . illustrates an additional block diagram of example,non-limiting system that facilitates micro-stream clustering inaccordance with one or more embodiments described herein. Repetitivedescription of like elements employed in other embodiments describedherein is omitted for sake of brevity.

The system 500 can comprise segmented data packets as micro-clusters 502₁ . . . 502 _(q). It should be understood that various stream-basedclustering algorithms (e.g., micro-clusters) can perform clusteringdifferently. For example, the clustering component 406 can generate alist of micro-clusters 502 ₁ . . . 502 _(q). Various names can representthe micro-cluster 502 ₂: N₂, LS₂, SS₂, LST₂, and SST₂. Additionally, oneor more physical machines 104, 106, 110 can be represented by amicro-cluster name. Therefore, the control device 112 can quicklyidentify a physical machine and one or more micro-clusters with whichthe physical machine can be associated.

FIG. 6 illustrates a flow diagram of an example, non-limiting processoverview in accordance with one or more embodiments described herein.Repetitive description of like elements employed in other embodimentsdescribed herein is omitted for sake of brevity.

The method 600 can be used to facilitate the aforementioned systems. Atelement 602, the environment from which physical machines are operatingin can be discovered, noting that the environment is subject todynamically change. The system can run a commonality analysis to composepatch group sets and shared elements at element 604 (e.g., via the riskassessment component 308). The commonality analysis can be based on aperceived vulnerability associated with a physical machine. At element606, based on data received from the patch database 320, the physicalmachines can be determined to be cluster patch groups, and at element608 risk measurements for a cluster patch group can be assessed (e.g.,via the risk assessment component 308).

Based on the risk measurements at element 608, a patch policy can beapplied to the cluster patch group at element 610 (e.g., via themonitoring component 304). At element 612, a server can be monitored(e.g., server addition, server deletion, etc.) and a micro-cluster setcan be composed (e.g., via the monitoring component 304). The riskmeasurement can then be assessed for the micro-cluster at element 614(e.g., via the risk assessment component 308), and another patch for themicro-cluster can be applied (e.g., via the monitoring component 304) atelement 616. At element 618, group data can be updated and assessedagainst patterns stored in the pattern database 318. At element 620, thesystem can determine if patterns are known (e.g., via the learningcomponent 310 that leverages machine learning algorithms). At element620, the method 600 can comprise identifying patterns associated withvulnerabilities and patch grounds. If no patterns are found, then theprocess can repeat at element 612. However, if patterns are found, thenthe pattern can be determined as a known pattern at element 622 andupdated in the pattern database 318. Consequently, at element 624, newpatterns can be updated to be monitored at element 612.

FIG. 7 illustrates a flow diagram of an example, non-limiting flowdiagram that facilitates assessments for risk measurements 700 inaccordance with one or more embodiments described herein. Repetitivedescription of like elements employed in other embodiments describedherein is omitted for sake of brevity.

A process for assessing risk measurements can begin at block 702. Thesystem can determine if a machine is prone to risks (e.g., via the riskassessment component 308) at block 704. If the machine is not prone torisk, then the process can end at block 706. However, if the system doesidentify a risk prone machine at block 704, then the system can evaluate(e.g., via the monitoring component 304) the risk associated with themachine. For example, if there is greater than a one percent chance of ahigh risk and/or there is greater than a twenty percent medium risk,then the machine can be labeled as a high risk machine (e.g., via therisk assessment component 308) at block 710, and the process can end atblock 706. Conversely, if the high risk is less than one percent and/orless than a twenty percent of a medium risk, then the system can proceedto check for other risk factors. If the system then determines that aserver has greater than zero percent and less than or equal to onepercent high risk machines, or greater than between two percent totwenty percent medium risk machines, or greater than fifty percent lowrisk machines, then the machines can be labeled (e.g., via the riskassessment component 308) as a medium risk, and the process can proceedto end at block 706. Conversely, if any of the aforementioned factorsare not met, then the system can label the machine (e.g., via the riskassessment component 308) as a low risk at element 716 and proceed toend at block 706. It should be understood that although theaforementioned risk percentages and partitions are used in relation tothis disclosure, other percentages and partitions can be used based onrisk thresholds.

FIG. 8 illustrates a flow diagram of an example, non-limitingcomputer-implemented method 800 that facilitates grouping and patchingof machines in accordance with one or more embodiments described herein.Repetitive description of like elements employed in other embodimentsdescribed herein is omitted for sake of brevity.

At element 802, method 800 comprises, in response to a first riskassociated with a first server device, patching (e.g., via the riskassessment component 308), by a device operatively coupled to aprocessor, a server group to mitigate a vulnerability of the firstserver device and a second server device, wherein the server group iscomprised of the first server device and the second server device. Atelement 804, method 800 comprises monitoring (e.g., via the monitoringcomponent 304), by the device, data associated with a second risk to theserver group to mitigate the second risk to the server group.

FIG. 9 illustrates a flow diagram of another example, non-limitingcomputer-implemented method 900 that facilitates grouping and patchingof machines in accordance with one or more embodiments described herein.Repetitive description of like elements employed in other embodimentsdescribed herein is omitted for sake of brevity.

At element 902, method 900 comprises, in response to a first riskassociated with a first server device, patching (e.g., via the riskassessment component 308), by a device operatively coupled to aprocessor, a server group to mitigate a vulnerability of the firstserver device and a second server device, wherein the server group iscomprised of the first server device and the second server device. Atelement 904, method 900 comprises monitoring (e.g., via the monitoringcomponent 304), by the device, data associated with a second risk to theserver group to mitigate the second risk to the server group.Additionally, at element 906, method 900 comprises modifying (e.g., viathe adjustment component 306), by the device, the server group tomitigate the second risk of the server group, resulting in a servergroup modification.

FIG. 10 illustrates a flow diagram of another example, non-limitingcomputer-implemented method 1000 that facilitates grouping and patchingof machines in accordance with one or more embodiments described herein.Repetitive description of like elements employed in other embodimentsdescribed herein is omitted for sake of brevity.

At element 1002, method 1000 comprises, in response to a first riskassociated with a first server device, patching (e.g., via the riskassessment component 308), by a device operatively coupled to aprocessor, a server group to mitigate a vulnerability of the firstserver device and a second server device, wherein the server group iscomprised of the first server device and the second server device. Atelement 1004, method 1000 comprises monitoring (e.g., via the monitoringcomponent 304), by the device, data associated with a second risk to theserver group to mitigate the second risk to the server group.Furthermore, at element 1006, the method can comprise receiving anindication (e.g., via the adjustment component 306) that the servergroup has been modified.

In order to provide a context for the various aspects of the disclosedsubject matter, FIG. 11 as well as the following discussion is intendedto provide a general description of a suitable environment in which thevarious aspects of the disclosed subject matter can be implemented. FIG.11 illustrates a block diagram of an example, non-limiting operatingenvironment in which one or more embodiments described herein can befacilitated. Repetitive description of like elements employed in otherembodiments described herein is omitted for sake of brevity. Withreference to FIG. 11 , a suitable operating environment 1100 forimplementing various aspects of this disclosure can also include acomputer 1112. The computer 1112 can also include a processing unit1114, a system memory 1116, and a system bus 1118. The system bus 1118couples system components including, but not limited to, the systemmemory 1116 to the processing unit 1114. The processing unit 1114 can beany of various available processors. Dual microprocessors and othermultiprocessor architectures also can be employed as the processing unit1114. The system bus 1118 can be any of several types of busstructure(s) including the memory bus or memory controller, a peripheralbus or external bus, and/or a local bus using any variety of availablebus architectures including, but not limited to, Industrial StandardArchitecture (ISA), Micro-Channel Architecture (MSA), Extended ISA(EISA), Intelligent Drive Electronics (IDE), VESA Local Bus (VLB),Peripheral Component Interconnect (PCI), Card Bus, Universal Serial Bus(USB), Advanced Graphics Port (AGP), Firewire (IEEE 1394), and SmallComputer Systems Interface (SCSI).

The system memory 1116 can also include volatile memory 1120 andnonvolatile memory 1122. The basic input/output system (BIOS),containing the basic routines to transfer information between elementswithin the computer 1112, such as during start-up, is stored innonvolatile memory 1122. By way of illustration, and not limitation,nonvolatile memory 1122 can include read only memory (ROM), programmableROM (PROM), electrically programmable ROM (EPROM), electrically erasableprogrammable ROM (EEPROM), flash memory, or nonvolatile random accessmemory (RAM) (e.g., ferroelectric RAM (FeRAM). Volatile memory 1120 canalso include random access memory (RAM), which acts as external cachememory. By way of illustration and not limitation, RAM is available inmany forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronousDRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM(ESDRAM), Synchlink DRAM (SLDRAM), direct Rambus RAM (DRRAM), directRambus dynamic RAM (DRDRAM), and Rambus dynamic RAM.

Computer 1112 can also include removable/non-removable,volatile/non-volatile computer storage media. FIG. 11 illustrates, forexample, a disk storage 1124. Disk storage 1124 can also include, but isnot limited to, devices like a magnetic disk drive, floppy disk drive,tape drive, Jaz drive, Zip drive, LS-100 drive, flash memory card, ormemory stick. The disk storage 1124 also can include storage mediaseparately or in combination with other storage media including, but notlimited to, an optical disk drive such as a compact disk ROM device(CD-ROM), CD recordable drive (CD-R Drive), CD rewritable drive (CD-RWDrive) or a digital versatile disk ROM drive (DVD-ROM). To facilitateconnection of the disk storage 1124 to the system bus 1118, a removableor non-removable interface is typically used, such as interface 1126.FIG. 11 also depicts software that acts as an intermediary between usersand the basic computer resources described in the suitable operatingenvironment 1100. Such software can also include, for example, anoperating system 1128. Operating system 1128, which can be stored ondisk storage 1124, acts to control and allocate resources of thecomputer 1112.

System applications 1130 take advantage of the management of resourcesby operating system 1128 through program modules 1132 and program data1134, e.g., stored either in system memory 1116 or on disk storage 1124.It is to be appreciated that this disclosure can be implemented withvarious operating systems or combinations of operating systems. A userenters commands or information into the computer 1112 through inputdevice(s) 1136. Input devices 1136 include, but are not limited to, apointing device such as a mouse, trackball, stylus, touch pad, keyboard,microphone, joystick, game pad, satellite dish, scanner, TV tuner card,digital camera, digital video camera, web camera, and the like. Theseand other input devices connect to the processing unit 1114 through thesystem bus 1118 via interface port(s) 1138. Interface port(s) 1138include, for example, a serial port, a parallel port, a game port, and auniversal serial bus (USB). Output device(s) 1140 use some of the sametype of ports as input device(s) 1136. Thus, for example, a USB port canbe used to provide input to computer 1112, and to output informationfrom computer 1112 to an output device 1140. Output adapter 1142 isprovided to illustrate that there are some output devices 1140 likemonitors, speakers, and printers, among other output devices 1140, whichrequire special adapters. The output adapters 1142 include, by way ofillustration and not limitation, video and sound cards that provide ameans of connection between the output device 1140 and the system bus1118. It should be noted that other devices and/or systems of devicesprovide both input and output capabilities such as remote computer(s)1144.

Computer 1112 can operate in a networked environment using logicalconnections to one or more remote computers, such as remote computer(s)1144. The remote computer(s) 1144 can be a computer, a server, a router,a network PC, a workstation, a microprocessor based appliance, a peerdevice or other common network node and the like, and typically can alsoinclude many or all of the elements described relative to computer 1112.For purposes of brevity, only a memory storage device 1146 isillustrated with remote computer(s) 1144. Remote computer(s) 1144 islogically connected to computer 1112 through a network interface 1148and then physically connected via communication connection 1150. Networkinterface 1148 encompasses wire and/or wireless communication networkssuch as local-area networks (LAN), wide-area networks (WAN), cellularnetworks, etc. LAN technologies include Fiber Distributed Data Interface(FDDI), Copper Distributed Data Interface (CDDI), Ethernet, Token Ringand the like. WAN technologies include, but are not limited to,point-to-point links, circuit switching networks like IntegratedServices Digital Networks (ISDN) and variations thereon, packetswitching networks, and Digital Subscriber Lines (DSL). Communicationconnection(s) 1150 refers to the hardware/software employed to connectthe network interface 1148 to the system bus 1118. While communicationconnection 1150 is shown for illustrative clarity inside computer 1112,it can also be external to computer 1112. The hardware/software forconnection to the network interface 1148 can also include, for exemplarypurposes only, internal and external technologies such as, modemsincluding regular telephone grade modems, cable modems and DSL modems,ISDN adapters, and Ethernet cards.

Referring now to FIG. 12 , illustrative cloud computing environment 1200is depicted. As shown, cloud computing environment 1200 includes a cloud50 and one or more cloud computing nodes 10 with which local computingdevices used by cloud consumers, such as, for example, personal digitalassistant (PDA) or cellular telephone 54A, desktop computer 54B, laptopcomputer 54C, and/or automobile computer system 54N may communicate.Nodes 10 may communicate with one another. They may be grouped (notshown) physically or virtually, in one or more networks, such asPrivate, Community, Public, or Hybrid clouds as described hereinabove,or a combination thereof. This allows the cloud computing environment1200 to offer infrastructure, platforms and/or software as services forwhich a cloud consumer does not need to maintain resources on a localcomputing device. It is understood that the types of computing devices54A-N shown in FIG. 12 are intended to be illustrative only and thatcomputing nodes 10 and the cloud 50 can communicate with any type ofcomputerized device over any type of network and/or network addressableconnection (e.g., using a web browser).

Referring now to FIG. 13 , a set of functional abstraction layers 1300provided by cloud computing environment 1200 (FIG. 12 ) is shown. Itshould be understood in advance that the components, layers, andfunctions shown in FIG. 13 are intended to be illustrative only andembodiments of the invention are not limited thereto. As depicted, thefollowing layers and corresponding functions are provided.

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 61; RISC(Reduced Instruction Set Computer) architecture based servers 62;servers 63; blade servers 64; storage devices 65; and networks andnetworking components 66. In some embodiments, software componentsinclude network application server software 67 and database software 68.

Virtualization layer 70 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers71; virtual storage 72; virtual networks 73, including virtual privatenetworks; virtual applications and operating systems 74; and virtualclients 75.

In one example, management layer 80 may provide the functions describedbelow. Resource provisioning 81 provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 82provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may include applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 83 provides access to the cloud computing environment forconsumers and system administrators. Service level management 84provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 85 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 90 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 91; software development and lifecycle management 92; virtualclassroom education delivery 93; data analytics processing 94;transaction processing 95; and dynamic re-composition of patch groupsusing stream clustering.

The present disclosure may be a system, a method, an apparatus and/or acomputer program product at any possible technical detail level ofintegration. The computer program product can include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent disclosure. The computer readable storage medium can be atangible device that can retain and store instructions for use by aninstruction execution device. The computer readable storage medium canbe, for example, but is not limited to, an electronic storage device, amagnetic storage device, an optical storage device, an electromagneticstorage device, a semiconductor storage device, or any suitablecombination of the foregoing. A non-exhaustive list of more specificexamples of the computer readable storage medium can also include thefollowing: a portable computer diskette, a hard disk, a random accessmemory (RAM), a read-only memory (ROM), an erasable programmableread-only memory (EPROM or Flash memory), a static random access memory(SRAM), a portable compact disc read-only memory (CD-ROM), a digitalversatile disk (DVD), a memory stick, a floppy disk, a mechanicallyencoded device such as punch-cards or raised structures in a groovehaving instructions recorded thereon, and any suitable combination ofthe foregoing. A computer readable storage medium, as used herein, isnot to be construed as being transitory signals per se, such as radiowaves or other freely propagating electromagnetic waves, electromagneticwaves propagating through a waveguide or other transmission media (e.g.,light pulses passing through a fiber-optic cable), or electrical signalstransmitted through a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network can comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device. Computer readable programinstructions for carrying out operations of the present disclosure canbe assembler instructions, instruction-set-architecture (ISA)instructions, machine instructions, machine dependent instructions,microcode, firmware instructions, state-setting data, configuration datafor integrated circuitry, or either source code or object code writtenin any combination of one or more programming languages, including anobject oriented programming language such as Smalltalk, C++, or thelike, and procedural programming languages, such as the “C” programminglanguage or similar programming languages. The computer readable programinstructions can execute entirely on the user's computer, partly on theuser's computer, as a stand-alone software package, partly on the user'scomputer and partly on a remote computer or entirely on the remotecomputer or server. In the latter scenario, the remote computer can beconnected to the user's computer through any type of network, includinga local area network (LAN) or a wide area network (WAN), or theconnection can be made to an external computer (for example, through theInternet using an Internet Service Provider). In some embodiments,electronic circuitry including, for example, programmable logiccircuitry, field-programmable gate arrays (FPGA), or programmable logicarrays (PLA) can execute the computer readable program instructions byutilizing state information of the computer readable programinstructions to personalize the electronic circuitry, in order toperform aspects of the present disclosure.

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions. These computer readable programinstructions can be provided to a processor of a general purposecomputer, special purpose computer, or other programmable dataprocessing apparatus to produce a machine, such that the instructions,which execute via the processor of the computer or other programmabledata processing apparatus, create means for implementing thefunctions/acts specified in the flowchart and/or block diagram block orblocks. These computer readable program instructions can also be storedin a computer readable storage medium that can direct a computer, aprogrammable data processing apparatus, and/or other devices to functionin a particular manner, such that the computer readable storage mediumhaving instructions stored therein comprises an article of manufactureincluding instructions which implement aspects of the function/actspecified in the flowchart and/or block diagram block or blocks. Thecomputer readable program instructions can also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational acts to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams can represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks can occur out of theorder noted in the Figures. For example, two blocks shown in successioncan, in fact, be executed substantially concurrently, or the blocks cansometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

While the subject matter has been described above in the general contextof computer-executable instructions of a computer program product thatruns on a computer and/or computers, those skilled in the art willrecognize that this disclosure also can or can be implemented incombination with other program modules. Generally, program modulesinclude routines, programs, components, data structures, etc. thatperform particular tasks and/or implement particular abstract datatypes. Moreover, those skilled in the art will appreciate that theinventive computer-implemented methods can be practiced with othercomputer system configurations, including single-processor ormultiprocessor computer systems, mini-computing devices, mainframecomputers, as well as computers, hand-held computing devices (e.g., PDA,phone), microprocessor-based or programmable consumer or industrialelectronics, and the like. The illustrated aspects can also be practicedin distributed computing environments in which tasks are performed byremote processing devices that are linked through a communicationsnetwork. However, some, if not all aspects of this disclosure can bepracticed on stand-alone computers. In a distributed computingenvironment, program modules can be located in both local and remotememory storage devices.

As used in this application, the terms “component,” “system,”“platform,” “interface,” and the like, can refer to and/or can include acomputer-related entity or an entity related to an operational machinewith one or more specific functionalities. The entities disclosed hereincan be either hardware, a combination of hardware and software,software, or software in execution. For example, a component can be, butis not limited to being, a process running on a processor, a processor,an object, an executable, a thread of execution, a program, and/or acomputer. By way of illustration, both an application running on aserver and the server can be a component. One or more components canreside within a process and/or thread of execution and a component canbe localized on one computer and/or distributed between two or morecomputers. In another example, respective components can execute fromvarious computer readable media having various data structures storedthereon. The components can communicate via local and/or remoteprocesses such as in accordance with a signal having one or more datapackets (e.g., data from one component interacting with anothercomponent in a local system, distributed system, and/or across a networksuch as the Internet with other systems via the signal). As anotherexample, a component can be an apparatus with specific functionalityprovided by mechanical parts operated by electric or electroniccircuitry, which is operated by a software or firmware applicationexecuted by a processor. In such a case, the processor can be internalor external to the apparatus and can execute at least a part of thesoftware or firmware application. As yet another example, a componentcan be an apparatus that provides specific functionality throughelectronic components without mechanical parts, wherein the electroniccomponents can include a processor or other means to execute software orfirmware that confers at least in part the functionality of theelectronic components. In an aspect, a component can emulate anelectronic component via a physical machine, e.g., within a cloudcomputing system.

In addition, the term “or” is intended to mean an inclusive “or” ratherthan an exclusive “or.” That is, unless specified otherwise, or clearfrom context, “X employs A or B” is intended to mean any of the naturalinclusive permutations. That is, if X employs A; X employs B; or Xemploys both A and B, then “X employs A or B” is satisfied under any ofthe foregoing instances. Moreover, articles “a” and “an” as used in thesubject specification and annexed drawings should generally be construedto mean “one or more” unless specified otherwise or clear from contextto be directed to a singular form. As used herein, the terms “example”and/or “exemplary” are utilized to mean serving as an example, instance,or illustration. For the avoidance of doubt, the subject matterdisclosed herein is not limited by such examples. In addition, anyaspect or design described herein as an “example” and/or “exemplary” isnot necessarily to be construed as preferred or advantageous over otheraspects or designs, nor is it meant to preclude equivalent exemplarystructures and techniques known to those of ordinary skill in the art.

As it is employed in the subject specification, the term “processor” canrefer to substantially any computing processing unit or devicecomprising, but not limited to, single-core processors;single-processors with software multithread execution capability;multi-core processors; multi-core processors with software multithreadexecution capability; multi-core processors with hardware multithreadtechnology; parallel platforms; and parallel platforms with distributedshared memory. Additionally, a processor can refer to an integratedcircuit, an application specific integrated circuit (ASIC), a digitalsignal processor (DSP), a field programmable gate array (FPGA), aprogrammable logic controller (PLC), a complex programmable logic device(CPLD), a discrete gate or transistor logic, discrete hardwarecomponents, or any combination thereof designed to perform the functionsdescribed herein. Further, processors can exploit nano-scalearchitectures such as, but not limited to, molecular and quantum-dotbased transistors, switches and gates, in order to optimize space usageor enhance performance of user equipment. A processor can also beimplemented as a combination of computing processing units. In thisdisclosure, terms such as “store,” “storage,” “data store,” datastorage,” “database,” and substantially any other information storagecomponent relevant to operation and functionality of a component areutilized to refer to “memory components,” entities embodied in a“memory,” or components comprising a memory. It is to be appreciatedthat memory and/or memory components described herein can be eithervolatile memory or nonvolatile memory, or can include both volatile andnonvolatile memory. By way of illustration, and not limitation,nonvolatile memory can include read only memory (ROM), programmable ROM(PROM), electrically programmable ROM (EPROM), electrically erasable ROM(EEPROM), flash memory, or nonvolatile random access memory (RAM) (e.g.,ferroelectric RAM (FeRAM). Volatile memory can include RAM, which canact as external cache memory, for example. By way of illustration andnot limitation, RAM is available in many forms such as synchronous RAM(SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rateSDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM),direct Rambus RAM (DRRAM), direct Rambus dynamic RAM (DRDRAM), andRambus dynamic RAM (RDRAM). Additionally, the disclosed memorycomponents of systems or computer-implemented methods herein areintended to include, without being limited to including, these and anyother suitable types of memory.

What has been described above include mere examples of systems andcomputer-implemented methods. It is, of course, not possible to describeevery conceivable combination of components or computer-implementedmethods for purposes of describing this disclosure, but one of ordinaryskill in the art can recognize that many further combinations andpermutations of this disclosure are possible. Furthermore, to the extentthat the terms “includes,” “has,” “possesses,” and the like are used inthe detailed description, claims, appendices and drawings such terms areintended to be inclusive in a manner similar to the term “comprising” as“comprising” is interpreted when employed as a transitional word in aclaim.

The descriptions of the various embodiments have been presented forpurposes of illustration, but are not intended to be exhaustive orlimited to the embodiments disclosed. Many modifications and variationswill be apparent to those of ordinary skill in the art without departingfrom the scope and spirit of the described embodiments. The terminologyused herein was chosen to best explain the principles of theembodiments, the practical application or technical improvement overtechnologies found in the marketplace, or to enable others of ordinaryskill in the art to understand the embodiments disclosed herein.

What is claimed is:
 1. A computer-implemented method, comprising:generating, by a device operatively coupled to a processor, a riskprediction classification model based on an analysis of risk dataassociated with one or more previous risks; identifying, by the device,a subset of server devices that share at least one common vulnerabilityfrom a plurality of server devices on a network; adding, by the device,the subset of server devices to a server group; employing, by thedevice, the risk prediction classification model to identify a riskassociated with a first server device; and in response to identificationof the risk associated with the first server device of the server group,patching, by the device, the subset of server devices of the servergroup to mitigate the risk to the server group.
 2. Thecomputer-implemented method of claim 1, wherein the risk is associatedwith a vulnerability of the first server device to a malware attack. 3.The computer-implemented method of claim 1, wherein the risk data isassociated with the server group.
 4. The computer-implemented method ofclaim 1, further comprising: receiving, by the device, an indicationthat the server group has been modified resulting in a modified servergroup.
 5. The computer-implemented method of claim 4, furthercomprising: employing, by the device, the risk prediction classificationmodel to identify one or more risks associated with the modified servergroup.
 6. The computer-implemented method of claim 4, wherein themodified server group comprises removal of a second server device fromthe server group.
 7. The computer-implemented method of claim 4, whereinthe modified server group comprises addition of another server device tothe server group.
 8. A computer program product that facilitates servergroup patching, the computer program product comprising a computerreadable storage medium having program instructions embodied therewith,the program instructions executable by a processor to cause theprocessor to: generate a risk prediction classification model based onan analysis of risk data associated with one or more previous risks;identify a subset of server devices that share at least one commonvulnerability from a plurality of server devices on a network; add thesubset of server devices to a server group; employ the risk predictionclassification model to identify a risk associated with a first serverdevice; and in response to identification of the risk associated withthe first server device of the server group, patch the subset of serverdevices of the server group to mitigate the risk to the server group. 9.The computer program product of claim 8, wherein the risk is associatedwith a vulnerability of the first server device to a malware attack. 10.The computer program product of claim 8, wherein the risk data isassociated with the server group.
 11. The computer program product ofclaim 8, wherein the program instructions are further executable by theprocessor to cause the processor to: receive an indication that theserver group has been modified resulting in a modified server group. 12.The computer program product of claim 11, wherein the programinstructions are further executable by the processor to cause theprocessor to: employ the risk prediction classification model toidentify one or more risks associated with the modified server group.13. The computer program product of claim 11, wherein the modifiedserver group comprises removal of a second server device from the servergroup.
 14. The computer program product of claim 11, wherein themodified server group comprises addition of another server device to theserver group.
 15. A system, comprising: a memory that stores computerexecutable components; and a processor that executes the computerexecutable components stored in the memory, wherein the computerexecutable components comprise: an adjustment component that: identifiesa subset of server devices that share at least one common vulnerabilityfrom a plurality of server devices on a network; and adds the subset ofserver devices to a server group; and a risk assessment component that:in response to identification of a risk associated with a first serverdevice of the server group, patches the subset of server devices in theserver group to mitigate the risk to the server group; and wherein theadjustment component, in response to identification of an additionalrisk to the server group, modifies the server group to mitigate theadditional risk to the server group via a server group modificationcomprising removal of a second server device from the server group. 16.The system of claim 15, wherein the risk is associated with avulnerability of the first server device to a malware attack.
 17. Thesystem of claim 15, wherein the risk is associated with a reduction inperformance of the first server device.
 18. The system of claim 15,wherein the server group comprises a workload group of server devices.19. The system of claim 15, wherein the server group comprises a networkgroup of server devices.
 20. The system of claim 15, wherein the servergroup comprises an infrastructure group of server devices.